From: Junio C Hamano <gitster@pobox.com>
To: Taylor Blau <me@ttaylorr.com>
Cc: Julia Ramer via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Julia Ramer <prplr@github.com>,
Keanen Wold <keanenwold@github.com>,
Veronica Giaudrone <veronica.Giaudrone@microsoft.com>,
Bri Brothers <brbrot@microsoft.com>,
Julia Ramer <gitprplr@gmail.com>
Subject: Re: [PATCH v2] embargoed releases: also describe the git-security list and the process
Date: Wed, 19 Oct 2022 14:50:41 -0700 [thread overview]
Message-ID: <xmqqfsfjpjny.fsf@gitster.g> (raw)
In-Reply-To: <Y1Bo18aU7YKKX9yh@nand.local> (Taylor Blau's message of "Wed, 19 Oct 2022 17:15:03 -0400")
Taylor Blau <me@ttaylorr.com> writes:
>> +A bug's life: Typical timeline
>> +------------------------------
>> +
>> +- A bug is reported to the `git-security` mailing list.
>> +
>> +- Within a couple of days, someone from the core Git team responds with an
>> + initial assessment of the bug’s severity.
>
> A few nitpicks on this and the above bullet point:
>
> - The git-security list isn't for bug reports, though there can be a
> security component to something that looks like a bug report.
>
> Perhaps to be clearer we should swap "bug" for "potential
> vulnerability"?
Good point and good idea.
> - On "within a couple of days", I think that this is aspirationally
> true, though not always the case. Perhaps, "as soon as possible"
> instead? That's vague enough that I wouldn't worry about somebody
> reading this document >2 days after submitting a potential
> vulnerability wondering why nobody has gotten back to them ;-).
The purpose of giving a "Typical" timeline is primarily to guide
readers what to expect once they raise an issue, and to bind us with
at least "aspirational" deadline (which is not a bad thing), isn't
it? Saying "As soon as possible" there is the same as not saying
anything at all, even though in reality it sometimes may be "when
somebody feels like it is worth looking into" ;-)
Depending on the nature of vulnerability, the time it takes to reach
a satisfactory conclusion may range from a few days to a few weeks,
so we may not be able to give even a "Typical" timeline, but I do
not think it is unreasonable to hold us to a few days turnaround
time at least for an initial reaction.
That's a roundabout way to say "I think the original text is good".
> - Finally, consider replacing "core Git team" with "member of the
> git-security list".
I am torn.
The folks who are deep into core git development may have better
ability to assess the severity of a particular bug and the
complexity of possible solutions than others, but platform
stakeholders know how Git is used within their system and how old
the target track they wish to be updated better than us. So in that
sense, limiting assessment to core developers may not be ideal.
But on the other hand, the initial report to the list are seen only
by the security list participants and nobody else, so by definition,
any response would come from them ;-)
> The private forks tied to a security advisory are often convenient
> (assuming that the reporter has a GitHub account) since they provide a
> shared workspace. But I think we usually avoid them when working on
> preparing a release for more than one vulnerability.
Yes, it is convenient for simple things, but not necessarily the
best option when we need to roll it upwards to produce releases for
multiple maintenance tracks.
The rest of your comments and suggestions address all good points.
Thanks.
next prev parent reply other threads:[~2022-10-19 21:50 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 22:39 [PATCH] embargoed releases: also describe the git-security list and the process Julia Ramer via GitGitGadget
2022-09-02 17:24 ` Junio C Hamano
2022-09-27 22:56 ` Julia Ramer
2022-09-28 17:12 ` Junio C Hamano
2022-10-18 20:43 ` Julia Ramer
2022-10-19 15:47 ` Junio C Hamano
2022-09-02 18:59 ` Junio C Hamano
2022-09-03 9:29 ` Johannes Schindelin
2022-09-05 20:28 ` Junio C Hamano
2022-10-19 1:16 ` [PATCH v2] " Julia Ramer via GitGitGadget
2022-10-19 18:53 ` Junio C Hamano
2022-10-19 21:22 ` Taylor Blau
2022-10-19 22:01 ` Junio C Hamano
2022-10-19 21:15 ` Taylor Blau
2022-10-19 21:50 ` Junio C Hamano [this message]
2022-10-20 17:06 ` Taylor Blau
2022-10-21 7:41 ` [PATCH v3] " Julia Ramer via GitGitGadget
2022-10-21 16:42 ` Junio C Hamano
2022-10-24 20:18 ` Julia Ramer
2022-10-24 22:56 ` Junio C Hamano
2022-10-22 0:11 ` Taylor Blau
2022-10-24 20:19 ` Julia Ramer
2022-10-24 22:07 ` [PATCH v4] " Julia Ramer via GitGitGadget
2022-10-24 23:08 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqfsfjpjny.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=brbrot@microsoft.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitprplr@gmail.com \
--cc=keanenwold@github.com \
--cc=me@ttaylorr.com \
--cc=prplr@github.com \
--cc=veronica.Giaudrone@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.